Activity Monitoring for AWS

Identify overprovisioned and inactive users using CloudTrail logs.

ℹ️ Early Access: Monitoring for AWS is part of Access Monitoring, which must be enabled by our support team.

Veza gathers CloudTrail logs to audit user activity and generates Over Provisioned Scores (OPS) to show the percentage of unutilized access. This document provides steps to enable audit log extraction for an integrated AWS account.

Notes

  • Supported Entities: Veza generates over-provisioned scores for relationships between AWS IAM users and AWS S3 buckets, as well as AWS IAM users and secret manager secrets. If Activity Monitoring is also enabled, Veza generates OPS for Okta identities with access to these resources.

  • Monitoring for multiple AWS accounts: To enable Activity Monitoring across several accounts in your organization, you'll need to repeat these steps for each integration for each account. In Query Builder results, OPS will be N/A for users from accounts where Activity Monitoring is not enabled.

  • The Activity Monitoring dashboard shows the dormant and over-provisioned AWS IAM Users, based on the resources they can access and the current Activity Monitoring time range. You can add constraints on OPS to Queries and Rules to enforce policies around user activity and actual resource usage.

Enabling Activity Monitoring for AWS

You can enable monitoring for a single AWS account with an account-level trail, or create an organization trail containing events from several regions and accounts:

  • In AWS, create an organization or account-level trail for activity monitoring, or use an existing one. If you have many accounts where you want to enable monitoring, an organization trail is recommended for easier configuration.

  • In AWS, ensure the Veza service principal has authorization to discover cloud trails and read the trail in S3.

  • In Veza, enable audit logs for each AWS account integration. You can specify the same S3 bucket and organization trail (identified by its AWS resource name) for all integrations.

Enabling Activity Monitoring with AWS Control Tower For organizations that use AWS Control Tower to govern a multi-account AWS environment, AWS CloudTrail is configured by default, with two key accounts:

  • A Management account at the organization root, where Control Tower is configured.

  • A Log Archive account containing the S3 bucket where audit logs are stored.

In this scenario, you will need to configure Veza to extract audit logs from the log archive account, and skip extraction for the management account and other accounts in the organization:

  1. Integrate the Log Archive account with Veza, if it is not already. To do so, use Cloud Formation for AWS Organizations, or add an AWS Account Integration.

  2. Ensure that the Log Archive integration trust policy includes a policy for audit log extraction, allowing s3:ListBucket and s3:GetObject on the bucket and log files.

  3. Enable audit logs for the Log Archive account integration. Enable the option "Extract for Organization" for this account.

  4. Enable audit logs for all other accounts in the organization, choosing the "Skip Extraction" option for each account.

See the following steps for more details. Apply the appropriate policies based on your CloudTrail configuration:

Step 1: Retrieve CloudTrail region and trail name

Each account integration connects to a single Trail with event logs for the desired regions, accounts, and resources to gather activity data.

  • To use an existing Trail, search for CloudTrail on the AWS Console, and save the name and region for configuring the integration in Veza. The trail must include S3, Secret Manager, and IAM events.

  • If Veza cannot use an existing Trail, see Creating a Trail for the current instructions from AWS.

Step 2: Update AWS integration permissions

To enable Audit Log Extraction and Activity Monitoring for several AWS account integrations in Veza, you will need to update the integration trust policy within each AWS account to grant access to the S3 bucket and trail.

The AWS IAM Policy used by each Veza-AWS integration must grant permissions to read CloudTrail metadata, and list and retrieve objects in the S3 bucket and path where the CloudTrail logs are stored.

Follow the instructions below for organization or account trails, depending on your AWS architecture.

To update the integration trust policy:

  1. On the AWS IAM Console, open the Policies page and locate the one used by the Veza-AWS Integration.

  2. Search for the following SID, and create it if necessary:

    {
      "Sid": "CloudTrail",
      "Effect": "Allow",
      "Action": [
      "cloudtrail:GetTrail"
      ],
      "Resource": "*"
    }

    This is required to discover if trails exist in the AWS account. Creating an AWS integration using the recommended policy includes the CloudTrail statement by default.

  3. Enable access to account and organization-level cloud trails, using the examples below.

  4. Save the changes to the policy.

Policy for audit log extraction

Update the integration IAM policy for the account where the organization trails resides to include the following statement. Depending on your environment, this could be the management account, or a dedicated log archive account. The following statement will allow Veza read access to retrieve logs from S3:

{
  "Sid": "CloudTrail",
  "Effect": "Allow",
  "Action": [
    "cloudtrail:GetTrail"
  ],
  "Resource": "*"
},
{
  "Sid": "CloudTrail-S3",
  "Effect": "Allow",
  "Action": [
    "s3:GetObject",
    "s3:ListBucket"
  ],
  "Resource": [
    "arn:aws:s3:::<bucket name>/AWSLogs/<organization id>/*",
    "arn:aws:s3:::<bucket name>"
  ]
}

To configure Activity Monitoring, use the organization trail ARN to enable audit logs for accounts in the organization where you want to enable monitoring. Choose "Extract for Organization" for the account where logs are stored. For other accounts in the organization, enter the trail ARN and select "Skip Extraction".

See Creating a trail for an organization for more on configuring organization trails in AWS.

Step 3: Enable Audit Logs for the AWS Integration

In Veza, enable audit logs for each account where activity monitoring will be active:

  1. On the Veza Integrations page, go to the Integrations page and click Enable Audit Logs next to the name of the AWS integration.

  2. In the modal, enter the values from AWS:

    • The name of the Trail Veza will connect to, e.g., veza_s3_monitoring. For Organization trails, use the full ARN as the name, or when the trail is owned by an account other than the integration account.

    • The AWS region the CloudTrail service resides, e.g., us-east-2.

    • For organization trails, check "Extract for Organization" for the management account, and "Skip Extraction" for other accounts in the organization.

    • If your environment uses a log archive account for trail storage, check "Extract for Organization" for that account, and "Skip Extraction" for all other integrations.

    • For account trails, leave both checkboxes unchecked.

  3. Save your changes. The integration will gather CloudTrail logs to calculate Over-Provisioned Access Scores during the next extraction cycle.

  4. Repeat this step for each AWS integration where you want to enable Activity Monitoring.

Last updated